• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Hot Button Issues in Cyber Insurance
 

Hot Button Issues in Cyber Insurance

on

  • 111 views

Whether arising from data theft, interference with service, disclosure of private customer/subscriber information or otherwise, cyber liability is now a critical concern. Direct losses, and liability ...

Whether arising from data theft, interference with service, disclosure of private customer/subscriber information or otherwise, cyber liability is now a critical concern. Direct losses, and liability and defense costs if third-party information is disclosed, can be tremendous. It is imperative to be properly insured against these events.

Exclusions to the standard commercial general liability policy (a policy held by almost every business) have almost eliminated cyber liability coverage under pre-2014 policies. The 2014 form CGL policy will completely exclude such coverage, requiring insureds to purchase new policies specifically targeted to cyber liability.

This presentation discussed coverage issues related to cyber liability, current coverages available, and how best to use available coverage to protect your business.

Statistics

Views

Total Views
111
Views on SlideShare
51
Embed Views
60

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 60

http://www.parsonsbehle.com 59
http://www.slideee.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Hot Button Issues in Cyber Insurance Hot Button Issues in Cyber Insurance Presentation Transcript

    • HOT BUTTON ISSUES IN CYBER INSURANCE Mark W. Dykes June 25, 2014 Parsons Behle & Latimer CLE Breakfast Briefing
    • 2  http://www.sec.gov/divisions/corpfin/guidance/cfguidance- topic2.htm:  Victims of cyber attacks may incur substantial costs and negative consequences, including: • Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. • Increased cybersecurity protection costs (may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants). • Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack; • Litigation; and • Reputational damage SEC Guidelines on Disclosure of Cyber Threats and Defense Mechanisms
    • 3  Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include: • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences; • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks; • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences; • Risks related to cyber incidents that may remain undetected for an extended period; and • Description of relevant insurance coverage. SEC Guidelines (cont.)
    • 4  Commercial General Liability (“CGL”)  Business Interruption/Time Element  Property Damage  Crime Policy  Directors and Officers Traditional Coverages
    • 5 The “A” Coverage: BI/PD  Insurer will defend insured and pay judgments for damages resulting from “bodily injury” and “property damage” caused by insured.  Property Damage is: • physical injury to tangible property • Loss of use of tangible property that is not physically injured  Many courts: electronic data is not tangible property.  Exclusion then created, 2.p. for Electronic Data: “Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.  But still: damage to a computer caused by freezing, slowed operations, and a hijacked browser was “property damage.” Eyeblaster v. Fed. Ins., 613 F.3d 797 (8th Cir. 2010). CGL: Liability Coverage (Third Party) Only
    • 6  Coverage provided for damages insured becomes liable to pay because of personal and advertising injury arising out of arising out of “Oral or written publication, in any manner, of material that violates a person’s right to privacy[.]” (Paragraph 14.e of definitions).  This was by far the most commonly invoked provision for providing defense coverage for cyber attacks, data theft, and the like.  A number of exclusions were added over the years for TCPA, CAN-SPAM, any similar law, and rights “[a]rising out of the violation of a person’s right to privacy created by any state or federal act.”  In 2013, ISO introduced an endorsement, “Amendment of Personal and Advertising Injury Definition,” which stated that “Paragraph 14.e of the Definitions section” did not apply to the B coverage.  This was a baby with the bathwater response, because it entirely eliminated coverage for invasion of privacy even if unrelated to cyber attacks. CGL: the “B” Coverage: Personal and Advertising Injury
    • 7  April 2011 hacking of Sony’s PlayStation online services exposed personal information of tens of millions of users.  50 class-action complaints were filed in the U.S. against Sony. Sony’s losses could exceed $1 billion.  Court finds no duty to defend: “Paragraph E (oral or written publication in any manner of the material that violates a person’s right of privacy) requires an act by or some kind of act or conduct by the policyholder in order for coverage to be present.” Zurich American v. Sony
    • 8  www.insurance.state.pa.us/serff_filings/ISOF- 129157456.pdf  Filed in each state ISO Exclusions to the CGL Form as of May, 2014
    • 9 Replaces Exclusion 2.p. of Section I, Coverage A (Bodily Injury And Property Damage Liability) with: 2. Exclusions This insurance does not apply to: p. Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability Damages arising out of: (1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or (2) The loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data. This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of that which is described in Paragraph (1) or (2) above. [E]lectronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software . . . or any other media which are used with electronically controlled equipment. Exclusion for BI/PD (Coverage A)
    • 10 2. Exclusions This insurance does not apply to: Access Or Disclosure Of Confidential Or Personal Information "Personal and advertising injury" arising out of any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information. This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information. Exclusion for Personal and Advertising Injury (Coverage B)
    • 11  Traditional property and business interruption policies require “direct physical loss or damage” to property to trigger.  Loss of data alone will not suffice. Traditional Business Interruption (Time Element) Coverage and Property Damage Coverage
    • 12  Theft of “Insured Property” by fraudulent access of computer or fraudulent programming.  “Insured Property” is owned by insured or held by the insured in any capacity.  Limitations: • Covers only “direct loss” • Direct Mortgage Corp. v. Nat’l Union Fire Ins. Co., 625 F.Supp.2d 1171 (D. Utah 2008) (“direct means direct”) • But see Retail Ventures v. Nat’l Union Fire Ins. Co., 691 F.3d 821 (6th Cir. 2012) (“proximate cause” will suffice) • No coverage for loss of any confidential information. − Retail Ventures: Exclusion applies only to loss of insured’s confidential information. CRIME POLICIES: “Computer and Funds Transfer Fraud Coverage”
    • 13  In re Caremark Int’l Inc. Derivative Litigation, 698 A.2d 959 (Del. Chan. 1996)  Recent derivative lawsuits against Target: breach of duty of loyalty and good faith for failure to implement security policies D&O Issues
    • 14  The CGL Policy is almost always an occurrence policy. • Provided timely notice is given, insurer will defend and indemnify under the A and B coverages for any occurrence during policy period. • Defense costs do not erode coverage limits  Crime and D&O policies are almost always issued on a “claims made” basis. • Insurer will cover only claims first made and reported to the carrier during the policy period, although fronts and tails will increase reporting period. • Defense costs do erode coverage limits OCCURRENCE vs. CLAIMS MADE
    • 15  First Party coverage: Loss of Digital Assets, Non-Physical Business Interruption and Extra Expense, Cyber Extortion, Cyber Terrorism, and Security Event Costs  Third Party coverage: Network Security and Privacy Liability, Employee Privacy Liability, and Electronic Media Liability  Electronic media includes infringement of domain name, copyright, trade name, slogan, service mark on the internet or intranet site  Covers administrative or operational mistakes  Breach of Privacy coverage: damages resulting from alleged violations of HIPAA, state, federal, and foreign privacy protection rules  Customer Breach Notice Expense and coverage  Public Relations Expense coverage  Comprehensive Interruption Expenses coverage  Soft hammers are possible  Defense costs likely to erode coverage limits Cyber Coverage
    • 16  Utah Code § 31A-20-101. Underwriting limitations. No insurer may insure or attempt to insure against: (1) a wager or gaming risk; (2) loss of an election; (3) the penal consequences of a crime; or (4) punitive damages. Warning on Punitive Damages
    • 17  Mark W. Dykes direct: 801.536.6692 email: mdykes@parsonsbehle.com Thank You